Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-3198: Can Centrify centrally manage extended ACL on AIX?

Authentication Service ,  

8 April,16 at 12:29 AM

Applies to: Centrify DirectControl on AIX Platforms

Question:
Normally setting up an extended ACL can be done on a a server using the AIX command acledit command:

# acledit test.sh

"Extended permissions" would need to be enabled for test.sh and then the permit line added underneath:

# acledit test.sh
*
* ACL_type AIXC
*
attributes:
base permissions
owner(root): rwx
group(system): r-x
others: r-x
extended permissions
enabled changed from disabled
permit rwx u:johnsmith added


This will allow user johnsmith to have rwx permissions to this file. The aclget displays:
*
* ACL_type AIXC
*
attributes:
base permissions
owner(root): rwx
group(system): r-x
others: r-x
extended permissions
enabled
permit rwx u:johnsmith


How can this be setup and managed from a global location via Centrify?

Answer:
The target of acledit is a file - i.e. It is updating the ACL of the named file object and requires the EDITOR environment variable to invoke.

This means it is not user-extend attribute related - but is file related. This is beyond the scope of DirectControl.

However, Group Policies are capable of being pushed out to many machines to run some command/script, but as this one requires EDITOR - meaning interaction with user is needed - there is no way to provide the needed interaction.

It may be possible to work with piped input, but this is an untested concept, and it still needs a way to get different input at different times.

As this is beyond the scope of Centrify - The above are provided as possible suggestions only.

Note:
This is about pure AIX file/access permissions. In all other UNIX systems, Linux, Sun, HP, etc., there is no acledit, it is only in AIX. Everything above can be done with the UNIX command chmod, except the AIX extended attributes. Centrify has never done anything with file permissions or file attributes.

Related Articles

 articleKB-20210: Common Questions Regarding Centrify DirectControl and CoreOS articleKB-7555: Unable to login as root after upgrade to Centrify Suite 2016 (CDC 5.3.0) articleKB-3925: How to add Centrify parameter to a group policy articleKB-1323: /etc/security/limits are not being enforced for Centrify zone-enabled users on AIX articleKB-6041: How to show current license type in use by adclient articleKB-6040: How to change the license type in use after adclient successful joined to the AD? articleKB-6861: How to Set Limits for Managed Local Users articleKB-6073: How to join the Linux/Unix Centrify Server to Active Directory with specific Computer Role? articleIdentity and Access Management for Hortonworks Data Platform